Iptables with gShield running over it

Belyle · 04-16-2003, 10:30 AM

Hello people. I am running Red Hat 7.3 with iptables v 1.2.8 on and kernel v 2.4.18-3
If I lsmod I do see the iptables modules loaded, but when I want to restart gShield.rc it gives me this.

[root@TheVault root]# /etc/firewall/gShield.rc
[gShield] initializing v2.7.1
[gShield] interface eth1 up
[gShield] default TCP response set to REJECT with tcp-reset
[gShield] default UDP response set to REJECT with icmp-port-unreachable
[gShield] default logging rate limit set to 20/m
[gShield] not logging ICMP
[gShield] 192.168.1.0/24 authorized for NAT
[gShield] 10.0.0.1/8 authorized for NAT
iptables v1.2.8: host/network `--dport' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: invalid TCP port/service `-j' specified
Try `iptables -h' or 'iptables --help' for more information.
[gShield] Forwarding tcp : -> : for
[gShield] allowing all ICMP at rate of 60/m
[gShield] allowing all traceroutes
[gShield] ftpd publically accessible
[gShield] sshd publically accessible
/etc/firewall/gShield.rc: /etc/firewall/sourced/services.rules: line 320: syntax error near unexpected token `|RETURN)'
/etc/firewall/gShield.rc: /etc/firewall/sourced/services.rules: line 320: ` return|RETURN)'
[gShield] error: cannot load services.rules.

Please, if you have some info on this share...I am a newbie on the edge

croftale · 04-16-2003, 11:13 AM

Following is a section of that services.rules file. Please note the syntax of the case. Could it be that there isn't the double ";" before the next test? I would search through the file looking at that point and verify that the syntax is correct. As to the other error, could it be possible that you are trying to activate or control a service not entered in /etc/services?
Without seeing all your configuration files, it is hard to tell what is going on.

# ------ [ IDENTD_SERVICE ] ------ #
case "$IDENTD_SERVICE" in
open|OPEN|PUBLIC|public|YES|yes)
SYSLOG "identd publically accessible"
$IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 113 -j PUBLIC
$IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 113 -j PUBLIC
;;
forward|FORWARD)
SYSLOG "identd accessible and forwarded to $IDENTD_HOST"
$IPTABLES -A FORWARD -p tcp -d $IDENTD_HOST --dport 113 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d $IDENTD_HOST --dport 113 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 113 -j DNAT --to $IDENTD_HOST:113
$IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 113 -j DNAT --to $IDENTD_HOST:113
;;
return|RETURN)
$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
;;

reject|REJECT)
$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT
;;

no|NO|CLOSED|closed)
;;

*)
SYSLOG "Error: Please check defined identd variables in gShield.conf"
esac

Belyle · 04-17-2003, 02:01 AM

Thanks, I looked at the /etc/firewall/sourced/services.rules file and the ";;" was missing from the line just above line 320.

So that is sorted out now.

Only problem that remains now is this one :
iptables v1.2.8: host/network `--dport' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: invalid TCP port/service `-j' specified
Try `iptables -h' or 'iptables --help' for more information.

I am not sure what to "look" for in the /etc/services.
What other configuration files should I be looking at?

But thanx for the help so far.

croftale · 04-17-2003, 07:37 AM

An old trick I used to use when I did programming eons ago was to put print/echo statements at steps through the program/script. This allowed you to pinpoint an area in the script and narrow it down so that you could isolate the problem/bug. Then when you run it, look at the comment just before and just after the error and that should put you at the point in the script.
Let me know what you find.
Ed.